0

I am trying to use a Client Credentials grant flow to obtains any API access token for Jack Henry Digital Toolkit Admin/Alerts() request, but keep getting the following error response:

{"error":"invalid_request","error_description":"no client authentication mechanism provided"}

Below is an example of my curl request which attempts to use a SignedJWT (client_assertion) to authenticate rather than the client secret.

curl —request POST --url 'https://banno.com/a/oidc-provider/api/v0/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data-urlencode client-id=$CLIENT_ID  \
--data-urlencode grant_type=client_credentials \
--data-urlencode client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer  \
--data-urlencode client-assertion=$SIGNED_JWT

Our client-assertion header/payload is similar to the following example:

 {
    "alg": "PS256",
 }
 {
  "jti": "065d67c7-41f9-4da0-bdb6-1197d128dcc8",
  "aud": "https://banno.com/a/oidc-provider/api/v0/token",
  "sub": "OUR EXTERNAL APPLICATION CLIENT ID",
  "iss": "OUR EXTERNAL APPLICATION CLIENT ID",
  "iat": 1693247831,
  "exp": 1693247891
}
Dan Coughlin
  • 1,104
  • 10
  • 14

1 Answers1

1

The endpoint is expecting the parameters in snake case. Try swapping client-assertion with client_assertion. You shouldn't need the client-id either.

I'd also encourage you to take a look at our node.js sample: https://github.com/Banno/banno-client-creds-helper/blob/master/lib/commands/client-assertion.js

Sam
  • 185
  • 2
  • 9
  • Hi, fixed the assertion to snake case and removed client id and has gone further, thank you. Now I am getting a unauthorized response 401 - Unauthorized when posting the assertion. I can replicate using your node sample/utility with the following syntax: npx @jack-henry/banno-client-creds-helper client-assertion --client-id=OUR_EXTERNAL_APP_CLIENT_ID --private-key=./private-key-path I am using the CLIENT ID assocated with our External Application(OAuth PKCE)....should I be using a different client ID assocated with the public key the client uploaded perhaps? – Dan Coughlin Aug 28 '23 at 22:45
  • 1
    There is a _separate_ type of External Application for the Admin API. The Client ID for an External Application for the Consumer API is not the same as the Client ID for an External Application for the Admin API. The former is something an institution can do in Banno People and the latter is in Banno Users & Groups. – Jaime Lopez Jr. Aug 29 '23 at 00:40
  • 1
    This quickstart is probably helpful too: https://jackhenry.dev/open-api-docs/admin-api/quickstarts/authentication/ – Jaime Lopez Jr. Aug 29 '23 at 00:40
  • Ah, now I get it, and it makes sense. So, the Associated User that was setup (in this case with the "Manage institution messages" permission for Alerts) would have spun off a Client ID after the permission was assigned and saved, as stated in Step 5 of the documentation link you sent above: Step 5. Press save Press the Save button to create the configuration of the API credentials. This will generate the Client ID necessary for the next step. – Dan Coughlin Aug 29 '23 at 01:51
  • 1
    Technically the `Associated User` needs to be created _first_ so that it's selectable as an option when creating the External Application. The creation of the External Application (with configured public key and selected Associated User) is what generates the Client ID for the Admin API. – Jaime Lopez Jr. Aug 29 '23 at 15:24